Cons

No smartphone-based authentication.

No actionable weak-passwords report.

Overwhelming options in desktop edition.

Limited secure sharing.

Bottom Line

RoboForm Everywhere 7 lets you sync your passwords across all your desktop and mobile devices, and the mobile editions are no longer limited.
It can be a good choice, and it's free if you stick to mobile, no desktop installations.

27 Apr 2017

Were you using a password manager 16 years ago? If so, chances are good it was the venerable RoboForm, because there weren't many other choices back then. It's been six years since the program's last major update, so RoboForm 8 Everywhere is decidedly welcome. This new version adds a number of features that have become popular since that last update, but it doesn't quite catch up to the current top products.

Your $19.95 per year subscription lets you use RoboForm on all your Windows, macOS, Android, iOS, Windows Phone, and even Linux devices. That's a decent price. Dashlane and LogMeOnce cost about twice as much, and Sticky Password splits the difference. LastPass and Zoho Vault do cost less, just $12 per year. Of course, there are also free password managers to choose from, too.

This release marks the demise of the one-device, one-time-payment RoboForm Desktop. If you truly want to use RoboForm on a single device, with no syncing or online access, you can use RoboForm 8 for free. The same is true of Dashlane and several other competitors. The lack of syncing is a strong enough limitation that I don't treat these free versions as full-fledged free password managers, however. LastPass 4.0 lets you sync across all your devices, but it reserves certain advanced features for the premium edition. LogMeOnce's free version offers a full feature set, but puts limits on some of those features.

Getting Started With RoboForm

You start by creating your RoboForm account online. The download page presents the installer appropriate for the platform you're using. Installation is quick and simple, and it adds extensions to Chrome, Firefox, Internet Explorer, and Opera. Once the installation process is complete, RoboForm displays a webpage with numerous video tutorials.

Windows 10 users can get the RoboForm extension for Microsoft Edge from the Windows Store. Note that RoboForm's Edge edition doesn't have quite the full feature set that you get with other browsers.

Modern browsers do their own password management, but they're less secure than a proper password manager. RoboForm can import passwords from Chrome, Firefox, Internet Explorer, and Opera. The similar features in LastPass, Dashlane, and True Key by Intel Security go even farther, deleting the passwords from the browser and turning off password capture. You'll need to perform those cleanup tasks yourself after importing into RoboForm.

RoboForm can import passwords from LastPass, Dashlane, Symantec Norton Identity Safe, 1Password, and KeePass, and can also import from a correctly formatted CSV file. In addition, it can import bookmarks from Xmarks, a bookmark-syncing tool owned by LastPass. That's a relatively small collection of import options. LastPass imports from more than 30 competing products, and KeePass from almost 40.

New User Interface

After six years with no updates, the old RoboForm was looking a bit dated. One feature of version 8 is an updated user interface. It looks different, but the overall organization hasn't changed much. Compared to modern password managers this new interface still seems a bit confusing.

A left rail menu lets you choose among eight categories of stored data: Logins, Bookmarks, Applications, Identities, Contacts, Safenotes, All, and Shared. Just to the right of this menu is a list of items, which you can organize into a multilevel folder tree. Confusingly, it displays the entire tree even when some folders don't contain any items matching the selected category. The remainder of the main window displays the selected item and lets you edit the item's details.

Other commands sprawl all over the place. A More menu at the top of the folder tree displays most, but not all, of the commands that become available when you right-click an item, and the right-click menu holds most, but not all, of the commands from the More menu. Another More menu in the editing area has one command that's also on that right-click menu. Three free-standing items let you go to the selected site, go to the site and fill in credentials, or go to the site and log in with the saved credentials.

But wait; there's more! A pull-down menu above the left-rail menu offers a collection of useful functions, including access to program options and the Security Center password scorecard. Security Center also has its own button on the left-rail menu. The only way I can see to use the Emergency Access feature is to select it from the right-click menu of RoboForm's notification area icon. In addition, some features can only be accessed by logging in to RoboForm online. I prefer the streamlined interface style used by Dashlane, Keeper Password Manager & Digital Vault 10, and others.

Password Capture and Replay

Like almost all password manager utilities, RoboForm notices when you log in to a secure site and offers to save your credentials. You can give the entry (which RoboForm calls a passcard) a friendly name at capture, and you can assign it to a new or existing folder. Watch out when creating folders. I wasn't paying enough attention and wound up creating each folder inside the folder I created previously. Fortunately, it's a simple matter to organize passcards and folders using drag and drop.

RoboForm had no trouble with two-page logins like Google's and Yahoo's, and it handled some oddball login pages, such as one with two password fields and no username. If you run across a truly weird login page, one that RoboForm doesn't capture automatically, fear not. As with LastPass, Sticky Password Premium$16.99 at Sticky Password, Keeper, and a few others, you can fill in your credentials and then tell RoboForm to just capture all data fields on that page.

When you revisit a site for which you've previously saved credentials, RoboForm displays the matching passcard (or passcards) in the toolbar. You click to fill and submit your credentials. In Chrome, there isn't a toolbar, so you must choose your passcard from the toolbar button's menu. Dashlane 4See it at Dashlane, and several others, just fill your credentials automatically or, if you've saved more than one set, offer them in a popup menu near the credential entry fields. I prefer the latter implementation.

Like LastPass and Password Boss Premium v2.0$22.49 at Password Boss, RoboForm takes your list of logins and folders and turns it into a multilevel menu accessed via the browser toolbar button. Just select an item from this menu to visit the site and log in automatically. Don't remember which folder you used? No worries; search is built in, too.

Master Form Filler

RoboForm started life as AI RoboForm, a utility strictly designed to automate filling your personal data into web forms. It very quickly adopted password management as well, but the form-filling ability came first. Not surprisingly, RoboForm is very good at that task.

You can also add custom fields and values, though I don't imagine many users do. And you can have more than one instance of each data type in a single identity—for example, three credit cards, or two addresses.

To fill a web form with data, you click the desired identity in the toolbar or toolbar menu. Quite a few competing products fill forms without taking your focus away from the form itself. When you click in a field, they automatically fill the form with your default identity, or offer a menu of available identities.

In testing, RoboForm did a great job filling forms. In an unusual security touch, it asks for confirmation before filling sensitive fields such as credit card number and SSN. However, it wasn't immediately obvious how to choose between multiple instances of, for example, Address. It turns out that by clicking a symbol after the name of the identity you get the option to choose between instances, and to fill only empty fields.

Another unusual feature is the option to save personal data for your contacts. A contact is very much like an identity, but it includes only the Person, Business, and Address categories. That's convenient when you're buying a present online and having it shipped to one of your contacts.

Password Generator

The point of using a password manager is to maintain a unique and strong password for every website. Since you don't have to remember them yourself, your passwords can be totally random. That's where the password generator comes in.

You access the password manager via the toolbar button's menu. By default, it just gives you a password, with the option to drag it onto a field or copy it to the clipboard. However, using default settings it creates passwords of a mere eight characters, containing uppercase letters, lowercase letters, and digits, but not symbols. Click the Advanced settings link, change the length to 12 or even 16 characters, and check the box to include symbols. That's a strong password. Password Boss and AgileBits 1Password 6 default to 20 characters. I prefer to see defaults set for stronger passwords.

Application Passwords

Not all passwords unlock websites. There are also programs that require their own passwords. LastPass, AceBIT Password Depot 8, and RoboForm are among the few that handle passwords for Windows applications as well as websites. RoboForm's handling of this feature is very smooth.

When it detects a password-entry dialog, it appends a toolbar to the bottom of the program. You enter your credentials and save them to RoboForm, much the way you let it capture website logins. If there's already a password saved, you can click a button on that toolbar to fill in credentials. You can also click the passcard in RoboForm's main window to launch the program and log in.

Limited Two-Factor Authentication

If the only thing protecting your password stash is a master password, then anybody who gets hold of that password totally owns your credentials. Two-factor authentication means that authentication requires something more than just the password. This could be something you have, such as a smartphone or a security device, or it could be something you are, such as your fingerprint or voiceprint.

Authentication using a text sent to your smartphone is falling out of favor, because the SMS system isn't secure. However, authentication using an app on your smartphone is popular. Dashlane, LastPass, LogMeOnce Password Management Suite Ultimate, and a few others are compatible with Google Authenticator and its workalikes. LastPass and Keeper have their own authentication apps.

Intel's True Key is laser-focused on multifactor authentication, so much so that you can use several other factors to unlock its password store even without the master password. Dashlane supports authentication using a U2F (Universal Two Factor) device such as the latest Yubikey. LastPass 4.0 Premium$2 at LastPass offers more multifactor choices than the rest, ranging from high-tech devices to a simple paper grid that you keep in your wallet.

As for RoboForm, its two-factor options are limited. To supplement the master password, you can require fingerprint authentication, but only with a Windows Biometric Framework device. The previous edition supported smartcard authentication, but that feature went mostly unused.

By logging in to your RoboForm account online, you can enable the One-Time Password (OTP) feature. This feature kicks in any time RoboForm detects login from a device not seen before. It sends the OTP to the email address or smartphone number you specified. Without that code, it doesn't permit access for the new device. This isn't full-on two-factor authentication, but it does prevent unauthorized login on a new device.

Emergency Password Access

If you were to be hit by a bus tomorrow, would your heirs be able to access your digital assets? Quite a few states have passed legislation declaring that your heirs have a right to those assets, but the laws don't necessarily define just how this digital inheritance would happen. Many modern password management tools include one method or another for ensuring that your heirs can access your online accounts. With version 8, RoboForm joins this group.

I had a bit of trouble finding this feature, a problem exacerbated by the fact that the online manual and FAQs still reference version 7, which didn't have it. It turns out that you must right-click the RoboForm icon in the notification area and choose Emergency Access. The resulting window has two tabs, one for your emergency contacts and one for people who've designated you as their digital heir.

Setting up emergency access is simple. You enter the emergency contact's email address and specify a time-out period from immediate to 30 days. The recipient gets an email explaining the process, and a link to download and install the free version of RoboForm, if necessary. During the install process, it asks for confirmation that the recipient accepts the offer of emergency access.

The purpose of the time-out is to avoid misuse of this feature. When your emergency contact requests access, you get a notification by email. If you're still alive and kicking, you can cut off access (and look for a more trustworthy emergency contact). Once the time-out expires, your emergency contact gets full access.

Emergency access in LastPass works in much the same way. Dashlane lets you offer a subset of your logins to the contact. With LogMeOnce, you can bequeath your whole password collection to an heir, or assign them one at a time to inheritors. And Zoho Vault distinguishes personal and work passwords. In a work situation, the Zoho Vault administrator can always take over the work passwords if, say, an employee leaves the company.

Secure Sharing

Also new in this edition, RoboForm permits sharing individual passcards, in several ways. On the right-click menu for a passcard are two options, Sharing and Send. With either one, you simply enter the email address of the recipient. The main difference between the two options is that when you make changes to a shared passcard, changes sync to the recipient. If you chose Send, there's no ongoing connection. Those using the free edition can receive passcards you send, but they can't participate in sharing.

Like Keeper and 1Password, RoboForm lets you create a folder for sharing logins. Create the folder, drag some logins into it, and add one or more users to share it. For each user, you choose a role. Limited means the recipient can log in using the passcard from the browser menu but can't view or edit it. A Regular User can both use and edit the passcard, and changes sync to all users of the shared folder. Finally, in the Manager role, the recipient can add new shares or edit exiting users.

Security Center

Once all of your passwords are stored in the password manager, it's time to start making improvements. The Security Center page lists all of your logins, identifying weak ones on one tab, reused passwords on another, and total duplicates on a third. Your first move should be to check the reused passwords, because when you use the same password on multiple websites, you multiply the effect of a security breach on any of them.

The similar feature in Dashlane, LastPass, and LogMeOnce includes the option to automate password change for specific popular sites. With RoboForm, each listed site has a link to log in, but you must handle changing the passwords yourself, possibly calling on the password generator for help. When you're done, RoboForm records the changed passwords.

With the dupes out of the way, go back to the main list and sort by password strength. Starting with the worst of them, fix a few every day until you see nothing but "Strong" in the password strength column. Now you're using your password manager in the best possible way!

For many password managers, a password containing at least eight characters and at least one of each character type (lowercase, uppercase, digits, and symbols) is considered strong. So, for example, "Password1!" would get a top rating. RoboForm takes a tougher view, using the open-source zxcvbn algorithm, which takes into account the use of dictionary words, names, and popular passwords.

Mobile Editions

RoboForm offers mobile editions for iOS, Android, and even Windows Phone. You simply download the free app from the appropriate store and link it to your account. The mobile editions have nearly the same functionality as the Windows and Mac desktop editions.

On an iOS device, launching a passcard opens it in the internal browser, by default. Note that for form filling support requires the internal browser. If you enable use of RoboForm in the sharing box, you can use it in Safari and in over 230 apps that support the sharing box. The list includes Twitter, and Tumblr, but not Facebook and Google, along with rafts of apps I've never encountered.

Although its appearance is different, RoboForm works in much the same way on Android devices. By enabling it in Accessibility settings, you can log into apps, and into websites on Chrome. Form filling works, but only in the internal browser.

Typing your master password on a smartphone can be tough, and yet you shouldn't leave your password manager unlocked. The mobile editions let you protect a logged-in session with a PIN, or Touch ID.

I did encounter something truly weird when I looked at the password generators. Under Windows, the default password length is eight characters. The default is 10 under iOS, which is a little better, but it's a dismal six under Android. Windows and Android permit passwords up to 512 characters, while the max under iOS is 20. All three cases include uppercase letters, lowercase letters, and digits by default. If you want punctuation (and you do!) you must turn on that option. The minimum number of digits defaults to one under Windows, none under Android, and five under iOS. The developers need to make the three password managers work the same, and raise the default minimum password length.

Almost Modern

RoboForm 8 Everywhere is a very welcome update, one awaited by fans for six years. It retains its powerful form-filling abilities and full-featured password management, and it adds several features that we've come to expect in modern password managers, in particular digital inheritance and secure sharing. However, in an age when many competing products are streamlining interfaces and working on ease of use, RoboForm's interface had me guessing quite a lot during this review. I found myself struggling to find features more often than I like.

Still, if you're one of RoboForm's many loyalists, you'll love this update. Even if you're not a fan, it's worth a look. But our Editors' Choice products have even more to offer. Though inexpensive, LastPass 4.0 Premium packs loads of features, including automatic password change. While its interface may be a bit complex, LogMeOnce Password Management Suite Ultimate 5.2 has every feature you can imagine. Sticky Password Premium supports a huge number of browsers. And Dashlane is the poster child for slick interface and ease of use.

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of … See Full Bio